Geeks To Go is a helpful hub, where thousands of volunteer geeks quickly serve friendly answers and support. Check out the forums and get free advice from the experts. Register now to gain access to all of our features, it's FREE and only takes one minute. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, post status updates, manage your profile and so much more.

Trojan.Vundo.B [RESOLVED]

mg3305

Posted 21 October 2005 - 11:46 PM

mg3305

New Member

Member

9 posts

I'm running Windows XP with only one user and I use Norton Anti Virus. NAV has detected the Vundo.B virus. The C:\WINNT\System32\awvtu.dll file is infected and NAV is unable to repair this file. I initially started on the Symantec website and used the FxVundoB program with no results. I tried several other suggestions, again no results. I've read a lot about the virus now and have also read the solution that your site has provided to people. I have downloaded all of the software that you recommend and am ready to follow your advice. Before I started, I just wanted to post my HijackThis Log for you to review and to get me going. Your service is very much appreciated.

Advertisements

Crustyoldbloke

Posted 22 October 2005 - 04:01 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Hello mg3305 and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have quite a mixture of malware and at least one instance of Virtumonde (Vundo B) infection, and no, the Symantec tool doesn’t fix it. Let’s see what we can do with the first sweep.

I note that you are running HijackThis from Desktop; please create a new folder for it (for example C:\Program Files\Hijackthis\Hijackthis.exe) and move the programme into it. It is very important you do this before anything else since backup files can be deleted if they are not within their own folder!

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter once.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\System32\awvtu.dll

Press Enter to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

At this point please type the following file path (make sure to enter it exactly as below!): C:\WINNT\System32\utvwa.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programmes menu).Set the programme up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

mg3305

Posted 24 October 2005 - 07:45 PM

mg3305

New Member

Topic Starter

Member

9 posts

Hello Crusty!

Thanks for responding. Since I posted my message though, I did some more research (most of which was reading posts on this site) and saw one by a lady that said she tried going back to Symantec because they posted a new fix for the Vundo virus. So, I did and it appears to have worked. I'm no longer getting the pop up window from Norton stating that I have the virus and my machine seems to be working better. However, Norton has told me that I have two malwares but I cannot seem to get rid of them. I want to post my Hijack This log again and see if there is anything else you see that can be cleaned and to have another set of eyes double check and make sure I do not have the Vundo virus.

Also, I haven't quite figured out how to manuever around this site. I see you posted on the same day I did. I've been waiting for a response and kept trying to check but did not know how to find out if someone responded to me. I kept going to check my mail under my controls. How do I know when someone responds to my post. The only way I found this was by doing a search and looking up my userID and opened my post and saw that you responded. What am I missing? I know it's got to be something easy and I'm going to feel really stupid when you tell me.

Crustyoldbloke

Posted 25 October 2005 - 02:34 AM

To ensure that you are subscribed to this thread, scroll to your original post, look for a box called OPTIONS and click Track this topic

I am surprised by your faith in Symantec; I tried their Vundo B fix a few weeks ago and it did not work.

The fix I wrote previously was based upon your log at that time. These fixes take a while to do as I have to analyse your HJT log, researching any item I cannot identify before constructing the fix for your PC and only your PC. I am therefore disappointed that you haven't bothered with it, but now you want another one.

Well I have again scrutinised your HT log; you still have Vundo B, which has changed its identity, and all the other malware that you had before. Here is your fix for your PC based upon your latest HJT log.

After the files are extracted, please reboot your computer into Safe Mode. You can do this by restarting your computer and continually tapping the F8 key until a menu appears. Use your up arrow key to highlight Safe Mode then hit enter.

Once in safe mode open the VundoFix folder and doubleclick on KillVundo.bat

You will first be presented with a warning.
It should look like this

VundoFix V2.15 by Atri
By using VundoFix you agree that you are doing so at your own risk
Press enter to continue....

At this point press enter once.

Next you will see:

Please Type in the filepath as instructed by the forum staff
and then press enter:

At this point please type the following file path (make sure to enter it exactly as below!):

C:\WINNT\System32\pmkhi.dll

Press Enter to continue with the fix.

Next you will see:

Please type in the second filepath as instructed by the forum
staff then press enter:

At this point please type the following file path (make sure to enter it exactly as below!): C:\WINNT\System32\ihkmp.*

Press Enter to continue with the fix.

The fix will run then HijackThis will open, if it does not open automatically please open it manually.

Open Cleanup! by double-clicking the icon on your desktop (or from the Start > All Programmes menu).Set the programme up as follows:Click "Options..."Move the arrow down to "Custom CleanUp!"Put a check next to the following (Make sure nothing else is checked!):

The update will start and a progress bar will show the updates being installed.
(the status bar at the bottom will display "Update successful")

If you are having problems with the updater, you can use this link to manually update Ewido.Ewido manual updatesDo NOT run a scan yet.

Next, please reboot your computer in Safe Mode by doing the following:1) Restart your computer2) After hearing your computer beep once during startup, but before the Windows icon appears, press F8.3) Instead of Windows loading as normal, a menu should appear4) Select the first option, to run Windows in Safe Mode.

For additional help in booting into Safe Mode, see the following site:

Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.

In the Killbox programme, select the Delete on Reboot option.

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\System32\f1crcc1j.exeC:\WINNT\web\related.htm

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

Post back a fresh HijackThis log (from normal mode) and I will take another look.

Advertisements

Crustyoldbloke

Posted 27 October 2005 - 01:57 AM

One file is refusing to budge and it wasn't identified by either Panda or Ewido.

Please visit Kaspersky for a file scan. Navigate to the named file below and submit it for analysis. Please wait for their answer.

Suspect file: C:\WINNT\System32\f1crcc1j.exe

If the file is deemed to be bad (I think it is a randomly named Trojan), continue with the fix, otherwise your log is clean and I just need to give you some advice.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [f1crcc1j] C:\WINNT\System32\f1crcc1j.exe

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.

Extract the programme to your desktop and double-click on its folder, then double-click on Killbox.exe to start the programme.

In the Killbox programme, select the Replace on Reboot and use dummy option.

Copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\WINNT\System32\f1crcc1j.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "Yes" at the reboot now prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click download and run missingfilesetup.exe. Then try TheKillbox again.

mg3305

Posted 28 October 2005 - 08:22 PM

mg3305

New Member

Topic Starter

Member

9 posts

Crusty,Sorry it took me so long to get back to this. Been working a lot the last few days. Anyway, I ran the f1crcc1j file through Kaspersky and it stated that it was clean. I submitted it for analysis.

I then ran Hijack This and and did a Fix Checked on the the file.

I then oened Killbox and attempted to delete the file. Killbox stated that the file did not exist.However, there is a f1crcc1j.ini file still located in that pathway.

Otherwise, everything is looking good. Thank you very much for your assistance.

If I may indulge you one more time, I would like some advice..... I use Norton and Aluria as my anitvirus and spyware programs. Do you recommend something different? Is there something better?

I'm also posting my latest Hijack This log one last time. I'm not sure if you need this but here it is.

Crustyoldbloke

Posted 29 October 2005 - 09:33 AM

Crustyoldbloke

Old Malware Surgeon with a shaky scalpel

Retired Staff

15,130 posts

Congratulations! your new log is clean. Just a little bit more to do to prevent further infection.

Reset and Re-enable your System Restore to remove bad files that have been backed up by Windows. The files in System Restore are protected to prevent any programmes changing them. This is the only way to clean these files: (You will lose all previous restore points which are likely to be infected.)

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)1. Turn off System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.Check Turn off System Restore.Click Apply, and then click OK.2. Reboot.

3. Turn ON System Restore.On the Desktop, right-click My Computer.Click Properties.Click the System Restore tab.UN-Check *Turn off System Restore*.Click Apply, and then click OK.MOST IMPORTANT: You should update Windows and Internet Explorer to get all the latest Security Patches to protect your computer from the malware that is around on the internet.

I recommend going to the following link and update as recommended by Microsoft. This adds more security and extra features including a pop-up blocker for Internet Explorer. Microsoft Update

Now that everything is fixed, I suggest that you consider getting these programmes to help keep the computer clean:

SPYWARE BLASTER - Blocks bad ActiveX items from installing on your computer.AD-AWARE PERSONAL – A fine free malware detector and removal programmeSPYBOT S&D – Excellent free spyware detector and removal programmeGOOGLE TOOLBAR - Blocks many unwanted pop-ups in Internet Explorer.FIREFOX - Safer alternative to the Internet Explorer web browser.AVG ANTIVIRUS FREE EDITION - Free antivirus programme if you currently are not using one.ZONEALARM - Free firewall programme if you currently are not using one (Windows XP has a built-in firewall).

Remember to update these frequently.

Please note that whilst there is nothing wrong in having more than one antispyware programmes for “on demand” scanning, having two or more antivirus systems is not recommended as they may well interfere with each other.

I have to be a little circumspect in recommending programmes as much is down to personal preferences. If you wish to find genuine independent surveys of AV and AS software, by all means do. I have never been a fan of Norton; I just find it all too much and very restrictive and I have had some real battles over the years with it. The only thing I like about it is uninstalling it.

I use AVG with daily updates and scan, Microsoft Antispyware with daily updates and scan, Ewido two or three times a week, Ad-Aware once per week and Spybot once per week. I use Mozilla Firefox as a browser.